Behodler contest - GeekyLumberjack's results

Handle

GeekyLumberjack

Vulnerability details

Impact

generateFLNQuote() can be used to always cause migrate() to revert. Effectively ending one of Behodler's main function's operability. Migration is core to Behodler economics.

Proof of Concept

1. Attacker would write a script to call generateFLNQuote() on a regular basis.
2. User would attempt to call migrate() but it would always revert.

This happens because generateFLNQuote() directly sets latestFlanQuotes[0].blockProduced. Each time generateFLNQuote() is called latestFlanQuotes[0] gets assigned to latestFlanQuotes[1]. Both are used in _ensurePriceStability() to require a certain amount of time between each check. Unfortunately generateFLNQuote() is a public function, making it possible to continuously reset latestFlanQuotes[0].blockProduced so it will never pass the require in _ensurePriceStability()

migrate() uses _ensurePriceStability() through this series of calls:

migrate() -> migrate() -> stabilizeFlan() -> ensurePriceStability() -> _ensurePriceStability()

This is verifiable in the hardhat tests as well. You can add additional await this.uniswapHelper.generateFLNQuote(); to test cases and receive an EH error code.

Tools Used

Manual analysis / hardhat

Recommended Mitigation Steps

Add a require statement inside generateFLNQuote() that won't allow it to be called before it needs to be.

This may work:

require( localFlanQuotes[0].blockProduced + VARS.minQuoteWaitDuration <= block.number || localFlanQuotes[0].blockProduced == 0, "EH" );

Note on Severity

Due to the ease of exploit and high impact that this type of attack would have on the core functionality of the protocol a high severity seemed appropriate. Because there is no direct stealing of funds I believe it reduces the likelihood of exploit. Using OWASP risk rating methodology High impact * Medium likelihood = High vulnerability